Removing private token

3 files changed, 16 insertions, 34 deletions

diff --git a/lib/api/api_guard.rb b/lib/api/api_guard.rb
index 9ada2d5ebb1..9c68830ae34 100644
--- a/lib/api/api_guard.rb
+++ b/lib/api/api_guard.rb
@@ -45,6 +45,7 @@ module API
       include Gitlab::Utils::StrongMemoize
 
       def find_current_user!
+        set_raise_unauthorized_error
         user = find_user_from_access_token || find_user_from_warden
         return unless user
 
@@ -74,12 +75,6 @@ module API
 
       private
 
-      def handle_return_value!(value, &block)
-        raise UnauthorizedError unless value
-
-        block_given? ? yield(value) : value
-      end
-
       def private_token
         params[PRIVATE_TOKEN_PARAM].presence || env[PRIVATE_TOKEN_HEADER].presence
       end
diff --git a/lib/gitlab/auth/user_auth_finders.rb b/lib/gitlab/auth/user_auth_finders.rb
index 93f3cae0a95..86f1c13d4b8 100644
--- a/lib/gitlab/auth/user_auth_finders.rb
+++ b/lib/gitlab/auth/user_auth_finders.rb
@@ -29,7 +29,9 @@ module Gitlab
       private
 
       def handle_return_value!(value, &block)
-        return unless value
+        unless value
+          raise_unauthorized_error? ? raise_unauthorized_error! : return
+        end
 
         block_given? ? yield(value) : value
       end
@@ -75,6 +77,18 @@ module Gitlab
 
         ActionDispatch::Request.new(request.env)
       end
+
+      def raise_unauthorized_error?
+        defined?(@raise_unauthorized_error) ? @raise_unauthorized_error : false
+      end
+
+      def set_raise_unauthorized_error
+        @raise_unauthorized_error = true
+      end
+
+      def raise_unauthorized_error!
+        raise API::APIGuard::UnauthorizedError
+      end
     end
   end
 end
diff --git a/spec/requests/rack_attack_global_spec.rb b/spec/requests/rack_attack_global_spec.rb
index 9a0513d66a7..9cda4bcf966 100644
--- a/spec/requests/rack_attack_global_spec.rb
+++ b/spec/requests/rack_attack_global_spec.rb
@@ -189,26 +189,6 @@ describe 'Rack Attack global throttles' do
     end
   end
 
-  describe 'API requests authenticated with private token', :api do
-    let(:user) { create(:user) }
-    let(:other_user) { create(:user) }
-    let(:throttle_setting_prefix) { 'throttle_authenticated_api' }
-
-    context 'with the token in the query string' do
-      let(:get_args) { [api(api_partial_url, user)] }
-      let(:other_user_get_args) { [api(api_partial_url, other_user)] }
-
-      it_behaves_like 'rate-limited token-authenticated requests'
-    end
-
-    context 'with the token in the headers' do
-      let(:get_args) { api_get_args_with_token_headers(api_partial_url, private_token_headers(user)) }
-      let(:other_user_get_args) { api_get_args_with_token_headers(api_partial_url, private_token_headers(other_user)) }
-
-      it_behaves_like 'rate-limited token-authenticated requests'
-    end
-  end
-
   describe 'API requests authenticated with personal access token', :api do
     let(:user) { create(:user) }
     let(:token) { create(:personal_access_token, user: user) }
@@ -261,13 +241,6 @@ describe 'Rack Attack global throttles' do
     let(:throttle_setting_prefix) { 'throttle_authenticated_web' }
 
     context 'with the token in the query string' do
-      context 'with the atom extension' do
-        let(:get_args) { [rss_url(user)] }
-        let(:other_user_get_args) { [rss_url(other_user)] }
-
-        it_behaves_like 'rate-limited token-authenticated requests'
-      end
-
       context 'with the atom format in the Accept header' do
         let(:get_args) { [rss_url(user), nil, { 'HTTP_ACCEPT' => 'application/atom+xml' }] }
         let(:other_user_get_args) { [rss_url(other_user), nil, { 'HTTP_ACCEPT' => 'application/atom+xml' }] }